Passer au contenu principal

Avant de commencer

You must enable Bot Detection and configure a CAPTCHA provider.
Auth0’s Bot Detection monitoring feature is an early warning system for botnet detection and attacks. Below is guidance for identifying bots trying to log into your tenant.

Find log events of interest

When considering a response, first sift through the log messages from the potential attack. For advanced analysis, enable log streaming and connect it to the external tool of your choice. The following log event types are relevant when investigating an uptick in bot activity.
Log Event TypeDescription
plaGenerated before login and monitor bot detection, even if bot detection is only in monitoring mode and not using CAPTCHAs to identify bots.
fuFailed user login events due to invalid username, which can indicate attempted username enumeration or account takeover attempts.
fpFailed user login events due to invalid password, which can indicate attempted credential stuffing attacks.
pwd_leakAttempted login events with a leaked password, which can indicate attempted credential stuffing attacks.
limit_wcIP block events for >10 failed login attempts to a single account, which indicates the IP address is likely to belong to a bot.
limit_sulUser block events for >20 login attempts per minute from the same IP address, which indicates likely bot activity.
limit_muIP block events for >100 failed login attempts or >50 signup attempts from the same IP address, which indicates likely bot activity.
fcoaFailed cross-origin authentication events, which indicates attackers using automation to perform account takeovers.
scoaSuccessful cross-origin authentication events, which indicates attackers using automation to perform account takeovers when originating from a small number of IP addresses across multiple users.

Attack response

While setting the level to High immediately mitigates the attack, a comprehensive strategy balances your business’s risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:
  • User friction: evaluate the impact of mitigation measures (e.g. CAPTCHA frequency) on user experience.
  • Technical capacity: assess your ability to implement IP blocking, WAF rules, and enforcement.
Auth0 recommends a layered security approach that combines multiple mitigation techniques for optimal protection.

Mitigation strategies

For optimal protection from attacks, consider the following strategies:
  • Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution.
  • Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0’s Auth Challenge or another supported provider.
  • If you suspect a signup fraud campaign, temporarily prevent new user signups to your application from public, unauthenticated endpoints.
  • Change your web application firewall rules with an edge provider or use tenant access control lists to block abusive IPs, autonomous system numbers, geographic locations, TLS clients, or HTTP header elements like user-agent strings, and consider employing a reverse proxy.
  • Tighten Brute Force and Suspicious IP thresholds to reduce allowed connection limits and mitigate brute-force attacks. For more information about brute force attacks, read the Brute Force playbook.
  • Disable unused endpoints by modifying your Cross-Origin Authentication settings. If you suspect breached password attacks, read the Breached Password playbook.
  • Enforce step-up MFA for compromised accounts, up to and including requiring MFA for potentially compromised accounts.
  • Migrate to stronger MFA options to mitigate SMS pumping or toll fraud attacks by replacing SMS or voice-based MFA with OTP or Webauthn.